Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AMQP 1.0: support JWT (OAuth 2) token renewal #12599

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Conversation

ansd
Copy link
Member

@ansd ansd commented Oct 28, 2024

Closes #9259.

What?

Allow an AMQP 1.0 client to renew an OAuth 2.0 token before it expires.

Why?

This allows clients to keep the AMQP connection open instead of having to create a new connection whenever the token expires.

How?

As explained in #9259 (comment) the client can PUT a new token on HTTP API v2 path /auth/tokens. RabbitMQ will then:

  1. Store the new token on the given connection.
  2. Recheck access to the connection's vhost.
  3. Clear all permission caches in the AMQP sessions.
  4. Recheck write permissions to exchanges for links publishing to RabbitMQ, and recheck read permissions from queues for links consuming from RabbitMQ. The latter complies with the user expectation in OAuth2 and JWT: Rabbitmq sends messages to client despite expired token #11364.

@ansd ansd added this to the 4.1.0 milestone Oct 28, 2024
@ansd ansd force-pushed the amqp-token-renew branch 2 times, most recently from d2888ae to 88fad63 Compare October 29, 2024 10:58
@michaelklishin michaelklishin changed the title Support AMQP 1.0 token renewal AMQP 1.0: support JWT (OAuth 2) token renewal Oct 29, 2024
@ansd ansd force-pushed the amqp-token-renew branch 2 times, most recently from 41d24ab to eff36e1 Compare October 29, 2024 19:18
Closes #9259.

 ## What?
Allow an AMQP 1.0 client to renew an OAuth 2.0 token before it expires.

 ## Why?
This allows clients to keep the AMQP connection open instead of having
to create a new connection whenever the token expires.

 ## How?
As explained in #9259 (comment)
the client can `PUT` a new token on HTTP API v2 path `/auth/tokens`.
RabbitMQ will then:
1. Store the new token on the given connection.
2. Recheck access to the connection's vhost.
3. Clear all permission caches in the AMQP sessions.
4. Recheck write permissions to exchanges for links publishing to
   RabbitMQ, and recheck read permissions from queues for links
   consuming from RabbitMQ. The latter complies with the user
   expectation in #11364.

TODOs:
* Check new log process metadata
* Update docs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support OAuth 2.0 token renewal in AMQP 1.0
1 participant